Automatically close stale detections in Vulnerability Response

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 11분

    • Enable Auto-Close Stale Detections to automatically close stale vulnerable detections not recently found by your third-party integrations.

    시작하기 전에

    Role required: sn_vul.vulnerability_admin or sn_vuln.admin (deprecated), or a vulnerability manager with the sn_vul.manage_auto_close_stale_vi granular role.

    For more information about this feature, key terms, and any setup that may be required for your third-party integrations that import detection data, see Closing stale detections in Vulnerability Response for more information.

    주:
    The information provided in the following procedure is only applicable to versions prior to v22.0 of Vulnerability Response. Starting from v22.0 of Vulnerability Response, you have the option to configure additional search options. See Create auto-close rules for more information.

    프로시저

    1. Navigate to Vulnerability Response > Administration > Auto-Close Configuration > Stale Detections.
      The Auto-Close Stale Configuration form is displayed.
    2. Fill in the fields.
    3. For the Auto-close stale detections based on field, choose one option for your search.
      Both searches match the age of older, stale detections in number of days to a date provided by your scanner.
      주:
      Starting with v22.0 of Vulnerability Response, the options Detections last found and Assets last scanned are created as a list.
      • Detections last found. This option searches for the most current, or latest date that detections were found again by the scanner.
        주:
        For Rapid7 and Microsoft TVM users, a warning message is displayed about requiring current detection information.

        If you select Detections last found to base your search on, this feature requires a successful integration run of one of the Rapid7 Comprehensive Vulnerable Item Integrations within the last seven days.

        If you select Detections last found to base your search on, this feature requires a successful integration run of the Microsoft TVM Machine Vulnerabilities Integration (Full import) within the last seven days.

      • Assets last scanned. This option searches for the most current date an asset was last scanned by a third-party scanner.
    4. For Rapid7 and Microsoft TVM users only, verify that any required integrations are enabled.
      See Understanding the Rapid7 Vulnerability Integration and Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration for more information.
    5. To enable the module, click the Active check box to select it.
    6. In the Detections last found (days ago) field, enter the age of older, stale detections in the number of days.

      Default is 90 days. You can enter any positive value for the number of days. This value is used to match a date provided by your scanner. With 90 and Detections last found displayed, any detections not found in the last 90 days are automatically closed. With 90 and Assets last scanned displayed, any detections associated with assets not scanned in the last 90 days are automatically closed.

      주:

      There is a relationship between the Detections last found/Assets last scanned (days ago) field for this feature and the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API and the Microsoft TVM Machine Vulnerabilities integration.

      For these integrations, the Import since field on the configuration pages is empty by default.

      If you do not enter a value, or the field has no value, then the data for the number of days configured in the Detections last found/Assets last scanned (days ago) field is used.

      For example, if the number of days defined in the auto-close configuration form is 90, and the Import since field is empty on the integration configuration pages, then the first integration run imports the data for the last 90 days. The Import since fields for the Rapid7 Comprehensive Vulnerable Item Integration - API and the Microsoft TVM Machine Vulnerabilities integration are editable, so you can also provide whatever values you want. The 90 days value is provided as a default if the field remains empty so that the auto-close feature doesn’t close the false positives.

      This relationship between these fields applies only to the first integration run. After that, changing the Detections last found/Assets last scanned (days ago) field on the Auto-Close Stale Vulnerable detections form doesn’t affect the Import since field on the integration configuration pages. The field is changed to the first run’s start time so that the subsequent integration runs import only the delta information.

    7. 옵션: Select the Ignore stale detections for deferred VIs check box to ignore stale detections that are mapped to deferred VIs or to VIs currently in review for deferral.

      If you leave this option disabled, any detections that match your criteria will be closed that map to deferred VIs, or to VIs that are in review for deferral. The deferred VIs, or VIs that are in review that correspond to these detections are also automatically closed based on the rollup logic. For more information on roll up logic, see Closing stale detections in Vulnerability Response and State roll-up and roll-down scenarios.

      If you enable this option, any detections that match your criteria that map to deferred VIs, or to VIs that are in review for deferral, are skipped during auto-close.

    8. 옵션: Deselect the Ignore stale detections for closed VIs check box.

      By default, this check box is selected so that the closed VI is not reopened when a new detection related to this closed VI is identified. For more information on the roll up logic, see Closing stale detections in Vulnerability Response and State roll-up and roll-down scenarios.

    9. Click Update to save your changes.

      The Auto-Close Stale Detections scheduled job runs daily. The job determines whether you have selected the date when detections were last found or the date when assets were last scanned. It then transitions the corresponding detections to the Stale state. It's important to note that the Auto-Close Stale Detection feature only closes stale detections for active integration instances. Vulnerable items and detections associated with active integration instances are closed. Starting from v22.0 of Vulnerability Response the scheduled job has been modified to take into account the common table [sn_vul_cmn_auto_close_rule].

      After the detections are marked as Stale, if the scanner reports finding that detection again, the Status field of the detections transitions to Open. The detection's corresponding vulnerable items are also reopened.

      Additionally, if the detection is marked as Stale, and the scanner finds that it is Fixed, the detection transitions to Closed. The state also rolls up to the VIs.